Dashboards & Visualizations

How to populate the counts in 2 panels based on the selection from a drop-down menu?

guillecasco
Path Finder

I have two panels in a dashboard and I would like that the number of counts adjust to the drop-down menu.

The two panels are:

event        count                       
success      8                                   
error        7                                   
N/I          10
....         .....

Type error    count
00001         7
00002         12
........      .......

In all logs, there is a field named: CLIENT_ID (only 4 kinds of that client). Is there a way to include a drop-down menu with the 4 kinds of clients, and depending which one I choose, filter counts of both panels? I read something related to the token in the drop-down menu and also putting $$ in the XML code. How can I do this? Should the search of both panels need to have the client id somewhere? I don't want client id in panels, just the 2 columns I have now.

0 Karma

sundareshr
Legend

Here's what you need

  1. Drop-down with client list generated dynamically. You can achieve this somewhat like this

    <input type="dropdown" token="tokClient" searchWhenChanged="true">
          <label>Select client</label>
          <search>
            <query>index=* | stats count  by client_id</query>
            <earliest>@d</earliest>
            <latest>now</latest>
          </search>
          <fieldForLabel>client_id</fieldForLabel>
          <fieldForValue>client_id</fieldForValue>
    </input>
    

    OR
    You can hard-code the list of client_id in your drop-down, like this

        <input type="dropdown" token="tokCLient" searchWhenChanged="true">
          <label>Select client</label>
          <choice value="One">One</choice>
          <choice value="Two">Two</choice>
          <choice value="Three">Three</choice>
        </input>    
    

    Create your dashboard panels using the tokClient in your search. Like this

    <table>
    
                <search>
                  <query>index=* client_id=$tokClient$ | table _time client_id</query>
                </search>
    

    http://docs.splunk.com/Documentation/Splunk/6.4.0/Viz/Buildandeditforms

0 Karma

guillecasco
Path Finder

Ok, but how am I supposed to add:

index=* client_id=$tokClient$ | table _time client_id  

to both searches of the 2 panels? They don't have any client ID. Here are the 2 searches of both panels.

PANEL 1

index="index1" | stats count by name  

PANEL 2

index="index1" ERRORS | stats count by errorCode |sort -num(count)|   
0 Karma

sundareshr
Legend

Thought you said "In all logs, there is a field named: CLIENT_ID "?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...